A.A.A. Send ALERT LOG to QRADAR #9282
Replies: 1 comment 2 replies
-
|
Your title says |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Sorry, Alert logs |
Beta Was this translation helpful? Give feedback.
-
|
Can you share an example of a non-alert log that is being forwarded? |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
To forward events to an external destination, the QRADAR guide tells me to create a new custom configuration file on the handler at /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/NANO NAMEFILE.CONF
the file I created for the situation I need is:
output {
if [module] =~ "suricata" and [dataset] =~ "alert" {
syslog {
host => "192.X.X.X"
port => 514
appname => "suricata"
protocol => "tcp"
}
}
}
in this way, however, I get ALL the LOGS.
I would like that only the "ALERT" LOGs that I have in my security onion are forwarded to my QRADAR?
how can I do? how should i edit the file? thank you
Beta Was this translation helpful? Give feedback.
All reactions